Allele Security Alert
ASA-2018-00081
Identifier(s)
ASA-2018-00081, TYPO3-CORE-SA-2018-008
Title
Cross-Site Scripting in Frontend User Login
Vendor(s)
TYPO3 Association
Product(s)
TYPO3
Affected version(s)
TYPO3 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
Fixed version(s)
TYPO3 versions 7.6.32, 8.7.21 or 9.5.2
Proof of concept
Unknown
Description
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability – either a backend user or a frontend user having the possibility to modify their user profile.
Technical details
Two occurrences allow to render data of the currently logged in frontend user that is not sanitized and thus allow XSS attacks by frontend users.
1. EXT:fe_login adds ###FEUSER_{fieldname}### for each field that exists in the fe_users DB table, which CAN be processed by TypoScript but is insecure by default.
2. config.USERNAME_substToken = <!–###USERNAME###–> sets the username dynamically, which is then insecure.
Credits
Thomas Löffler and Benni Mack (TYPO3 core team)
Reference(s)
TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published
https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/
TYPO3-CORE-SA-2018-008: Cross-Site Scripting in Frontend User Login
https://typo3.org/security/advisory/typo3-core-sa-2018-008/
[SECURITY] Prevent XSS with fe_users data in felogin/TSFE
https://github.com/TYPO3/TYPO3.CMS/commit/1c85fe70269e2ff8ecf0b6d5f16550c6cd0ddc78
[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases
http://lists.typo3.org/pipermail/typo3-announce/2018/000435.html
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019